{
  lib,
  pkgs,
  ...
}:
{
  services.immich = {
    enable = true;
    port = 2283;
    host = "0.0.0.0";
  };

  security.acme = {
    acceptTerms = true;
    defaults.email = "kellyl@sysrq.ca";
  };

  services.caddy = {
    enable = true;

    virtualHosts = {
      "immich.sysrq.ca" = {
        extraConfig = ''
          encode gzip

          # Automatically handle HTTPS via Let’s Encrypt
          # Caddy will request and renew certs for immich.sysrq.ca

          reverse_proxy http://192.168.0.60:2283 {
            # If Immich uses WebSockets, Caddy will proxy them automatically
            # Add headers if you want forward real client IP
            header_up X-Real-IP {remote_host}
            header_up X-Forwarded-For {remote_host}
            header_up Host {host}
          }
        '';
      };
    };
  };

  networking.firewall.allowedTCPPorts = [ 80 443 2283 ];

}